II. OUTLINE AND EXPLANATION OF THE INDIVIDUAL CODING FIELDS
9. RECOVERY ACTIONS
The following sections provide explanation and information on each coding field and the individual codes used in each field. Where it is necessary, examples of how the individual codes need to be applied are given. It is possible that more than one individual code in each field may be applied to a single IRS report. For the completion of all IRS reports to be submitted, at least one entry is desirable for each coding field.
A report may be prepared not only because an event has occurred, but also because lessons learned have been identified which may assist in avoiding recurrence of events elsewhere. It is
1 For purposes of consistency, the numbering of the coding fields in the present guidance is the same as that in Appendix C of Ref. [1].
important to note that the examples used in this manual are for illustration purposes to provide additional guidance for the preparation of IRS reports.
1. REPORTING CATEGORIES
The categories are intended to provide a basis for identifying safety related events and other information to be reported to the IRS. Complex events may fall and be coded into more than one category.
1.1 Unanticipated releases of radioactive material or exposure to radiation
This category is intended to report the events involving unanticipated releases of radioactive material or exposures that may occur to plant personnel, the public and the environment due to actual or potential weaknesses in operational controls, design, etc.
1.1.1 Unanticipated releases of radioactive material Examples:
Any releases of radioactive material that exceed prescribed limits whether they are confined to the site or extend beyond it such as:
• Unplanned release that exceeds prescribed limits due to operational errors;
• Release of radioactive material due to failure of a storage tank for gaseous or liquid waste that exceeds prescribed limits for off-site or on-site releases;
• Release of radioactive material or spread of contamination rendering an on-site area inaccessible, with the result that items important to safety cannot be controlled, tested or maintained, and which has to be declared inoperable;
• Release of radioactive material or spread of contamination posing a problem for safety of plant personnel;
• Release of radioactive materials to the environment through unidentified routes which could not be monitored by the plant equipment and procedural inadequacies in the management of radioactive waste, e.g. failure of underground pipework.
1.1.2 Exposure to radiation that exceeds prescribed dose limits for members of the public
Example:
• Exposures to members of the public from sources of direct radiation at the site, from unplanned releases due to failure of barriers, or from an unexpected concentration of radioactive material from controlled releases due to inadequacies in waste management systems and/or operations.
1.1.3 Unanticipated exposure to radiation for site personnel Example:
• Exposure to site personnel due to failures in access control procedures, degradation of protection equipment, inadequacies in administrative controls or due to unplanned on-site releases.
Note:
These codes (1.1.2 and 1.1.3) are also selected in case the event led to an unanticipated release of radioactivity in the plant or the environment or resulted in an unanticipated exposure to plant personnel or the public, even if the release or the radiation dose did not exceed the prescribed limits.
1.2 Degradation of barriers and safety related systems
This category is intended to include events and issues where actual or potential serious degradation has occurred in the systems affecting the fundamental safety functions of (i) Reactivity control, (ii) Radioactive material cooling and (iii) Confinement of the radioactive material.
This code is only used when the appropriate code(s) among 1.2.1–1.2.6 cannot be identified.
When the failure was found during a periodical inspection, even without an actual effect, the appropriate code 1.2.1–1.2.6 is indicated.
1.2.1 Fuel cladding failure Examples:
• Fuel cladding failure requiring plant shutdown;
• Spent fuel cladding failure while handling and storing in the storage pool;
• Fuel assembly failure (detachment of a fuel rod, spacer grid, etc. from the assembly);
• Fuel failure noticed during off-line and on-line refuelling operations.
Note:
Fuel cladding is the first barrier to prevent release of radioactive material. Reporting of limited anticipated leaks which do not prevent continued operation is not necessary. Fuel cladding failure or challenge caused by unexpected factors/failure mechanisms with or without significant release of fission products is also included.
1.2.2 Degradation of the primary coolant pressure boundary, main steam or feedwater line or other high energy systems
1.2.2.1 Degradation of primary coolant pressure boundary Examples:
• Through-wall failure of the piping or the significant components of the primary coolant circuit;
• Welding or material related defects in the primary coolant circuits;
• Loss of relief and/or safety valve functions during tests or operation;
• Reactor system coolant leakage exceeding the technical specification limits or defeating the ‘leak before break’ criteria;
• Rapid pressure and temperature transient exceeding the authorized limits and may be jeopardizing the integrity of the reactor pressure vessel.
Note:
The reactor vessel and the reactor coolant system, including all the connected equipment (pumps, valves, steam generators, branch pipes up to isolation valves) that are exposed to reactor pressure, form a second barrier to the escape of fission products.
1.2.2.2 Degradation of main steam or feedwater lines Examples:
• Through-wall failure of the piping or the significant components of the steam or feedwater lines affecting the decay heat removal capacity, containment function or release of radioactivity.
• Welding or material related defects in steam or feedwater lines.
• Loss of relief and/or safety valve functions during tests or operation.
• Failure of Steam Generator.
1.2.2.3 Degradation of other high energy systems Examples:
• Through-wall failure of the piping or the significant components of the of steam generator blowdown, letdown lines prior to heat exchange and pressure reduction devices, auxiliary steam system, etc.
• Welding or material related defects in high energy system pipe lines.
• Loss of relief and/or safety valve functions during tests or operation affecting the adjacent safety related equipments.
• Failure of high pressure fluid system of turbine-generator affecting fire safety.
1.2.3 Degradation of containment function or integrity Examples:
• Containment leakage rates exceeding the Technical Specification limits.
• Loss of containment isolation valve functions during tests or operation.
• Loss of containment cooling/spray capability.
• Loss of pressure suppression/wetwell functioning capability.
• Loss of containment function during refuelling operations.
Note:
This code is also selected in case of:
1. Containment relief valve opens due to high pressure in the containment vessel.
2. Containment liner degradation is observed.
3. Failure of primary or secondary containment function.
1.2.4 Degradation of systems required to control reactivity Examples:
• Failures of the control rod system (fully or partially).
• Accidental criticality and control rod ejection.
• Failures or dilution of the boron injection system.
• Failure/inadequacies/dilution of burnable poison.
• Failures of recirculation system and/or addition of coldwater affecting the reactivity (check also applicability to 1.2.5).
• Reactivity anomaly or discrepancy in shutdown margin observed.
• Failure of primary/secondary shutdown and liquid poison system.
• Failure of demineralizer/ion exchanger affecting the reactivity.
• Failure of regulating system including liquid zone control, local power control and moderator level control.
• Failures of flux tilt control and local power distribution.
• Uncontrolled reactivity oscillation.
• Failure in administrative and operational controls (errors in core loading, defects in fuel manufacturing, mistakes in estimation of isotopic concentration of uranium in the fuel, etc.)
• Discrepancies observed in calculated and measured values of critical boron concentration.
1.2.5 Degradation of systems required to assure primary coolant inventory and core cooling
Examples:
• Failures of the emergency core cooling systems such as the high/low pressure core injection system and the core spray system.
• Failure of the primary coolant pump and system.
• Loss of auxiliary/emergency feedwater system.
• Loss of residual decay heat system, shutdown cooling system, etc.
• Failure of the pressure control system and the relief valves.
• Failure of the recirculation flow system (check also applicability to 1.2.4).
• Loss of moderator cooling and failure of moderator system.
• Flow blockage of coolant (full or partial) affecting the fuel integrity.
Notes:
1. Failure to remove core power or residual heat may result in uncontrolled primary coolant and fuel temperature increases putting fuel integrity at risk. Failures of such related systems are to be covered under this code.
2. Uncontrolled primary coolant system pressure increases may also challenge or jeopardize the integrity of pressure barriers. Failures of such devices are to be covered under this code.
1.2.6 Degradation of essential support systems Examples:
• Loss of essential AC/DC power to safety related buses including control power supply.
• Failures of the emergency diesel generator system.
• Loss of essential service water, instrument air, fuel oil, gas, ventilation and air conditioning, etc.
• Loss of backup fire water systems used for decay heat removal.
• Loss of fire protection system affecting essential equipment/safety systems.
• Loss of non-safety system affecting the essential support systems.
1.3 Deficiencies in design, construction (including manufacturing), installation and commissioning, operation, (including maintenance and surveillance), safety management/quality assurance system, safety evaluation and decommissioning
Deficiencies related to the above key elements show the weakness in maintaining the highest safety standards that may lead to loss of safety functions unless rectified. Some of these deficiencies may be plant life limiting.
1.3.1 Deficiencies in design Examples:
• Deficiencies in the design could result in loss of a safety function/ system, common mode failures affecting the plant safety.
• Degradation observed due to material incompatibility, environmental or operating conditions, layout, sizing and computational errors which are not properly considered during design.
1.3.2 Deficiencies in construction (including manufacturing), installation and commissioning
Examples:
• Degradation of materials due to environmental conditions not sufficiently considered or anticipated in the design stage.
• Errors made during construction or installation that could influence the performance of the system or component if not detected during testing, maintenance or otherwise.
• Deficiencies observed during construction, manufacturing, initial installation and back fitting of equipment.
• Deficiencies detected during commissioning.
• Latent deficiencies which have lead to events during operation.
• Degradation observed in civil structures due to inadequate construction quality/
supervision.
• Quality assurance weaknesses observed in manufacturing, installation and commissioning.
1.3.3 Deficiencies in operation (including maintenance or surveillance)
Personnel errors (including that of contract personnel) occurring during maintenance work are also coded here.
Examples:
• Loss of plant capability to perform safety functions due to personnel errors, procedural deficiencies/non-adherence and shortcomings in design of man-machine interfaces.
• Non-adherence to licence conditions/operational limits and conditions or other provisions.
• Inadequacies noticed in diagnostic systems.
• Inadequate training.
1.3.4 Deficiencies in safety management/quality assurance system Examples:
• Wrong documents used for maintenance.
• Component does not meet the design requirement.
• Insufficient verification of completed work.
• Deficiencies in quality assurance program/measures.
• Quality assurance deficiencies in non-safety related systems that may affect safety related systems.
• Tools and devices used for testing during commissioning and operation that were unable to detect deterioration.
1.3.5 Deficiencies in the safety evaluation Examples:
• Any event caused by a failure, condition, or action that demonstrates a dependence of essential structures, systems and components that was not previously identified for accomplishing the safety functions.
• Any event that results in the nuclear power plant not being in a controlled condition or that results in an unanalysed condition that compromises plant safety.
• Deficiencies in the scope of the safety evaluation, event sequences and operating conditions considered in the design analysis.
• Environmental conditions not considered properly, unforeseen system interactions, non-conservative calculations and deficiencies in the safety evaluation.
1.3.6 Deficiencies in decommissioning Examples:
Deficiencies/failures that result in:
• Generation of radioactive waste being unable to meet the acceptance criteria for storage and disposal.
• Unacceptable quantities of pollutants and/or hazardous waste.
• Spread of contamination due to breach of safety barriers.
• Unacceptable radiation exposure to occupational workers, the public and the environment.
• Inadequacies observed in the decommissioning plan and in implementation of the activities.
1.4 Generic problems of safety interest
Deficiencies affecting several plant systems or components, or having implications for other plants, or indicating the existence of generic problems of safety significance are to be reported.
Examples:
• Series of events where individual events are not of significant importance.
• Recurring events.
• Events with implications for similar facilities.
• Generic problems not adequately addressed by operation experience feedback, research and regulation.
1.5 Consequential actions taken by the regulatory body
Changes made by the regulatory body for licensing/license conditions of nuclear power plants based on the lessons learned from reported events.
Examples:
Warning notices, prohibitions, prosecutions, etc., resulting from reported events taken by the competent safety authority on:
• Licensing/license conditions.
• Design/safety assessment/safety analysis.
• Construction.
• Commissioning.
• Operation.
• Emergency planning.
• Training and qualification.
• Decommissioning.
1.6 Events of potential safety significance
Events/near-misses having no actual significant consequences but which may have the potential to become safety significant.
Examples:
• Events that could lead to potential loss of a safety function.
• Failure of mid-loop operation, header level control or loss of natural circulation.
• Loss of water in spent fuel storage facility that may lead to uncovering of spent fuel elements.
• Loss of shielding capability.
• Fall of spent fuel assembly during refuelling without any consequences.
• Radioactive material container/shipment accident during transportation without any consequences.
1.7 Effects of unusual events of either human — induced or natural origin
Events (internal and external) that could challenge the ability of the plant to operate, shut down or to maintain shutdown conditions in a safe manner.
Examples:
• An earthquake observed at the plant.
• A flood requiring countermeasures.
• Natural events (tsunami, Cyclone, ice-formation, pollution of river/sea water, lightening, heavy snowfall, etc.).
• Human-induced events such as an aircraft crash, fire, explosion, transport accident, breach of security, terrorist attack, sabotage, etc.
• Electromagnetic/radio frequency interference.
1.8 Other findings and operating experience information
New perspectives, industry initiatives, operating experience feedback from other industries are to be reported.
Examples:
• Failures in other industry applicable to nuclear industry.
• New safety requirements due to Severe Accident Management Guidelines.
• Risk based and risk informed insights.
2. PLANT STATUS PRIOR TO THE EVENT
The plant status at the time of the event is indicated in the IRS report even if it has no relation to the sequence of the event. In this case the code ‘2.0 Not Applicable’ is also used along with the appropriate plant status code.
2.0 Not Applicable 2.1 On power
2.1.1 Full allowable power
This code covers the stable operation above 90 percent power.
2.1.2 Reduced power (including zero power)
This code covers the stable operation from criticality to 90 percent power.
2.1.3 Raising power or starting up
This code covers starting of the unit from cold or hot shutdown to power rise. This code also covers reactor startup for shutdown margin test or low power physics tests or cold criticality tests, etc.
2.1.4 Reducing power
This code covers the period of power reduction of the unit.
2.1.5 Refuelling on power
Some reactors, for example CANDU and GCR, can be refuelled during power operation. For these types of reactors, this code can be selected. This code may also be used in case the refuelling is done in these units during unit shutdown.
2.2 Hot shutdown conditions
2.2.1 Hot standby (coolant at normal operating temperature)
In this state, primary coolant is around normal operating temperature and with the reactor subcritical.
2.2.2 Hot shutdown (coolant at or below normal operating temperature)
In this state, primary coolant temperature is less than the normal operating temperature (but greater than cold shutdown temperature limit depending on reactor design) and with the reactor subcritical and the vessel closed.
2.2.3 Natural circulation cooling
This code covers the effect of natural circulation cooling during hot shutdown conditions.
2.3 Cold shutdown
2.3.1 Cold shutdown with closed reactor vessel
In this state, primary coolant temperature is lower than the hot shutdown temperature limit depending on reactor design with reactor vessel closed.
2.3.2 Refuelling or open vessel (for maintenance)
For reactors (PWR, BWR, etc.) where the reactor vessel needs to be opened for refuelling this code is selected in addition to other relevant codes. The reactor vessel is also opened for inspection or maintenance.
2.3.2.1 Refuelling or open vessel — all or some fuel inside the core
This code covers vessel in flooded condition for fuel movement and also for inspection and maintenance.
2.3.2.2 Refuelling or open vessel — all fuel out of the core
This code covers vessel in flooded or drained condition for inspection and maintenance with fuel removed fully from the core.
2.3.3 Mid-loop operation and other reduced primary coolant inventory conditions This code covers mid-loop operation or header level control with reduced primary coolant inventory for special maintenance works.
2.3.4 Natural circulation cooling
This code covers decay heat removal capabilities during cold shutdown through natural means.
2.4 Pre-operational
2.4.1 Construction, installation
The plant is under construction and equipment installation.
2.4.2 Commissioning
This covers the time span between the completion of construction and the beginning of commercial operation. Preoperational and commissioning phases are marked with this code.
This code can be applied together with other codes in Section 2.
2.5 Testing or maintenance being performed
This code covers only the case where the test or maintenance work has a direct relation to the event, including the case where the failure was discovered during a period of testing or maintenance. It will always be used together with other codes in this section.
2.6 Post-operational (decommissioning/dismantling/decontamination) This code indicates the plant status during decommissioning, etc.
3. FAILED/AFFECTED SYSTEMS This field identifies:
(a) The systems that failed or lost their normal function, thereby initiating, or triggering the event;
(b) The systems that lost their normal function or were damaged as a direct result of the event;
(c) The systems of safety importance that were damaged or affected during or as a result of the event.
Systems distinguished with subdivisions under this code are:
A. Primary systems
B. Essential reactor auxiliary systems C. Essential service systems
D. Essential auxiliary systems E. Electrical systems
F. Feed water, steam and power conversion systems
H. Heating, ventilation and air conditioning systems (HVAC) I. Instrumentation and control systems
K. Service auxiliary systems S. Structural systems
W. Waste management systems Z. No system involved
Some components or sub-components in a system can be categorized in more than one code particularly if it has two or more functions (activating or de-energizing other systems). In such cases select all codes that represent the dependency of those systems on that component or sub-component which have lost their normal function or were affected.
Only those systems are coded that play a direct role in the cause of the event, either because the system failed or lost its normal function, thereby triggering the event or because the system lost its function, was damaged or affected during or as a result of the event.
Although many systems may be affected by the event or are actuated to function, they are not selected for coding if the system functions as designed or if the functional loss is not safety related (see the examples with explanations in this chapter).
In the following sections a detailed description of systems is given along with the constituting parts or components.
3.A Primary systems
Primary systems are systems and components that specifically confine and control nuclear reaction and provide safety functions that cool and shut the reactor down during normal operations and in the case of a failure or malfunction. Primary systems include the
Primary systems are systems and components that specifically confine and control nuclear reaction and provide safety functions that cool and shut the reactor down during normal operations and in the case of a failure or malfunction. Primary systems include the